Biden review board blames Microsoft for China hack that targeted US officials: 'Cascade of avoidable errors'

The board said Microsoft's 'security culture was inadequate and requires an overhaul'

The Cyber Safety Review Board (CSRB) has released a damning report on Tuesday that claimed serious errors by Microsoft allowed a Chinese hack that targeted the emails of top U.S. government officials.

The report, released by the U.S. Department of Homeland Security, came after an independent review of the Summer 2023 Microsoft Exchange Online intrusion.

This is the third review the CSRB has completed since President Biden mandated the Board through an executive order in February 2022.

The CSRB determined that Microsoft could have prevented Storm-0558's hack, a nefarious group affiliated with the People's Republic of China. They pointed to several operational and strategic decisions that underscored a corporate culture that failed to prioritize security and risk management.


Microsoft China hack

A Board mandated by President Biden has faulted Microsoft for a 2023 attack that came from Chinese hackers.  (Rafael Henrique/SOPA Images/LightRocket/TEH ENG KOON/AFP via Getty Images / Getty Images)

The State Department detected the breach last June. It was discovered because the agency was paying for a higher-tier service that showed audit logs, which revealed that the hackers had obtained around 60,000 emails. According to The Washington Post, Microsoft says it will now provide agencies with that service free of charge.

The Board wrote that the company's "security culture was inadequate and requires an overhaul" and the attack was caused by a "cascade of avoidable errors."

The report also suggested that Microsoft was not fully transparent about what they knew regarding the origin of the attack.

It was determined that Microsoft failed to correct inaccurate statements for months that residual data from a widespread system crash had caused the breach. Microsoft, according to the Board, continues to say they are unsure if this event led to the attack.

"Microsoft's decision not to correct in a timely manner its inaccurate public statements about this incident, including a corporate statement that Microsoft believed it had determined the likely root cause of the intrusion when in fact, it still has not," the report noted.

Microsoft has admitted they "have not found a crash dump containing the impacted key material."


A logo marking the edge of the Microsoft corporate campus

A logo marking the edge of the Microsoft corporate campus in Redmond, United States.  ((Photo by Toby Scott/SOPA Images/LightRocket via Getty Images) / Getty Images)

The company updated its public statements on March 12 when it was determined the review was reaching its conclusion.

Microsoft was asked to develop and publicly share a plan, including a timeline, for reforms across its company and products.

"We appreciate Microsoft's full cooperation in the course of the Board's seven-month, independent review. We also appreciate the input received from 19 additional companies, government agencies, and individual experts," DHS Under Secretary of Policy and CSRB Chair Robert Silvers said in a statement announcing the review's completion.

A Microsoft spokesperson told Fox News Digital, "We appreciate the work of the CSRB to investigate the impact of well-resourced nation state threat actors who operate continuously and without meaningful deterrence. As we announced in our Secure Future Initiative, recent events have demonstrated a need to adopt a new culture of engineering security in our own networks. "

"While no organization is immune to cyberattack from well-resourced adversaries, we have mobilized our engineering teams to identify and mitigate legacy infrastructure, improve processes, and enforce security benchmarks. Our security engineers continue to harden all our systems against attack and implement even more robust sensors and logs to help us detect and repel the cyber-armies of our adversaries. We will also review the final report for additional recommendations," they added. 


Microsoft has been the victim of several breaches in recent years.

In 2021, hackers affiliated with China accessed Microsoft Exchange email servers, compromising 30,000 public and private organizations in the U.S. alone.

The SVR, a Russian spy entity, attacked Microsoft's corporate email systems in January.

The infamous 2020 SolarWinds attack by Russian hackers was also orchestrated in part by exploiting a program Microsoft provides to companies. The program allows companies to authenticate the identity of employees on their email systems.

Microsoft did not immediately return Fox News Digital's request for comment. 

Editors Note: This piece has been updated with comment from a Microsoft spokesperson.